811331 sites analysed

State of EU Web Security

A deep technical analysis of 811331 European websites. TLS configuration, email authentication, security headers, and DNS security — measured, not estimated.

86.6%

TLS 1.3

9.2%

DMARC reject

28%

HSTS

11%

CSP

16%

DNSSEC

77%

HTTPS

IPv6 ready

HTTP/3

NS redundancy

sec.txt CRA

Mixed content

CSP reporting

In this report

TLS & Certificates Security Headers Email Security DNS Security

More reports

Privacy Report Accessibility Report Technology Report

TLS & Certificates

810550 sites scanned

TLS encrypts data in transit. TLS 1.3 is the current standard — older versions have known vulnerabilities. Required by GDPR Art. 32 (encryption of personal data), NIS2 Art. 21 (state of the art security measures), and PCI DSS 4.0 (TLS 1.2+ mandatory since March 2025).

TLS Version Distribution

TLSv1.3

86.6%

TLSv1.2

13.3%

Unknown

0.0%

Certificate Features

13%

Forward Secrecy

100%

Certificate Transparency

34%

OCSP Stapling

32%

Wildcard Certs

Deprecated TLS

HTTP Security Headers

858012 sites scanned

HTTP security headers instruct browsers to enable protections like XSS filtering, clickjacking prevention, and content type enforcement. OWASP recommends all six headers. NIS2 Art. 21 and ISO 27001 A.8.9 require appropriate technical measures — missing headers indicate gaps.

Header Adoption Rates

Strict-Transport-Security (HSTS)

28%

X-Content-Type-Options

28%

X-Frame-Options

19%

Referrer-Policy

13%

Content-Security-Policy (CSP)

11%

Permissions-Policy

77%

HTTPS Redirect

HSTS Preload Ready

security.txt

36%

Open CORS

HSTS < 6 months

Unsafe Referrer-Policy

COOP Enabled

Server Misconfigs

Email Security

839793 sites scanned

SPF, DKIM, and DMARC prevent email spoofing and phishing. Without DMARC enforcement, attackers can send emails that appear to come from your domain. Required by NIS2 Art. 21 (supply chain security), DORA Art. 9 (ICT risk management), and BSI IT-Grundschutz APP.5.3.

DMARC Policy Distribution

9.2%

29.2%

53.8%

Reject 9.2% Quarantine 7.8% None (monitor only) 29.2% No DMARC 53.8%

Email Authentication

75%

SPF

31%

DKIM

46%

DMARC

55%

STARTTLS

54%

Modern SMTP TLS

Blacklisted

DKIM Key Size Distribution

1024-bit 30.3%

1048-bit 0.0%

1148-bit 0.0%

2024-bit 0.0%

2048-bit 69.5%

3072-bit 0.0%

384-bit 0.0%

4096-bit 0.1%

512-bit 0.0%

768-bit 0.1%

8192-bit 0.0%

Email Spoofability by Industry

Percentage of sites without effective DMARC policy (spoofable via email)

Food

87% 234911

Hospitality

86% 112967

Beauty

86% 31007

Pets

85% 3547

Culture

84% 30463

Sports

83% 47261

Fashion

83% 29017

Home Garden

83% 27778

Travel

83% 23756

Real Estate

83% 12192

Automotive

82% 37320

Education

81% 99423

Healthcare

81% 52822

Construction

81% 13980

Ngo

81% 12045

Pharma

78% 14485

Professional Services

76% 15904

Tech

68% 18234

Media

67% 4142

Ecommerce

50% 4514

DNS Security

858734 sites scanned

DNS security features protect against cache poisoning, domain hijacking, and man-in-the-middle attacks. DNSSEC is recommended by ENISA and required under NIS2 for essential entities. CAA prevents unauthorized certificate issuance (RFC 8659). MTA-STS enforces TLS for inbound email.

DNSSEC Signing

16%

DANE/TLSA

CAA Records

MTA-STS

TLS-RPT

BIMI

MTA-STS Mode Breakdown

enforce (2485)

testing (1100)

unknown (624)

none (96)

Zone Transfer (AXFR) open on 1% of domains — full DNS zone data is publicly accessible.

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Sites are scanned across multiple dimensions: HTTP headers, TLS certificates, DNS records, and email authentication (SPF/DKIM/DMARC). Privacy, accessibility, and technology data are available in dedicated reports.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS — in 30 seconds, no account needed.

Scan your website now Industry benchmark

Based on automated scans of 811331 European websites. Updated continuously.